chill117 / express-mysql-session

A MySQL session store for the express framework in node
MIT License
313 stars 109 forks source link

Question regarding expiration #115

Open mpgr04 opened 4 years ago

mpgr04 commented 4 years ago

As far as I noticed, both the session cookie has a lifetime and the entry in the mysql session store of this module. Must both expiry times have the same value or is one of them unnecessary? As soon as I call a session destroy both variants will be removed anyway, both database entry and cookie, but how is it when the expiration period is exceeded?

Thanks!

chill117 commented 3 years ago

The expiration of the session in your database applies server-side. This module has a function that clears expired sessions at a set interval - the time between checks can be configured. If the server deletes a session record from the database, the next time that the client with the corresponding session cookie visits your website, the server will not be able to find its session in the database. So the server will generate a new session for that client.

The expiration of the session cookie applies on the client-side (browser). Once a cookie has reached its expiration time, the browser should delete it. The client will no longer send its session cookie to your server. The next time that client visits your website, the server will create a new session for that client.

nullromo commented 2 years ago

I was confused about this too. To clarify,

session_id expires data
3phuQRt... 1656693448 {"cookie":{"expires":"2022-07-01T16:37:27.897Z",...},...}
This expires time is used internally by express-mysql-session to track when sessions should be deleted from the database. It's for cleaning up old sessions. Here, data.cookie.expires is the actual time that the user's cookie expires, which is effectively when the user will need to log in again. For most purposes, this is the value that you should check.

Hopefully I am understanding correctly. I spent a while trying to figure out why the expires field kept on creeping forward while the session was never being modified or touch()-ed anywhere in my code. Then I realized I should instead be checking data.cookie.expires to find out how much time the user had left.